Steve Grubb
Steve Grubb
The first syscall is openat to get a descriptor of the directory (exit=3). The second is a call to renameat which uses that descriptor (a2=3). I'd suggest using strace to...
Do you have any debug information like a stack trace that shows where it is segfaulting? Do the logs mention where it is segfaulting? Does auditd itself mention something is...
When it segfaults, type "bt" for a backtrace. It works better if auditd is not stripped.
Yes, this looks stripped since it has double question marks. The strace kind of shows hints at where it is. ltrace would probably get closer since it's at the function...
In reviewing the strace, I think it is trying to send the DAEMON_START event. The call to getsubj failed because ENOENT, so it takes the other branch. After creating the...
Thanks. It looks like things are OK down to printf_core. The send_audit_event function variables all look OK. Some are optimized out. (I'd really like to have known what the value...
The %s means insert a string here. In this case, it's the whole audit record text as variable str. You can see the text was fine going into send_audit_event. But...
Another idea is maybe there's stack corruption somehow or undefined behavior. Might be worth adding the address and undefined behavior sanitizer flags to see if they dig up anything.
Thinking about it more, it looks like it's compile with stack-protector-strong. That would have detected any major stack corruption. Maybe the 4.0.1 release works? (Btw, the testing on musl is...
I guess the reporter should add themselves to kernel issue 94. Closing this one.